None of these are necessary, except half of #2. All you'd need is a "middleman" device that is subtle enough to avoid notice by the person plugging in, just like how credit card skimmers work.

> 1. The station has to be using USB Ports / Charging cables that are data enabled, not just cables that carry power

Doesn't matter, because you're (unwittingly) plugging into the attacker's device, not the station's.

> 2. The hacker would need some way of injecting the malware into the charging station ports without being seen, I doubt many charging stations are internet connected so you would have to be at the device.

You don't need to "inject" anything; you just need to physically place it between the user and the actual port and disguise it enough that people not paying attention won't notice. Or even just put a fake "charging station" in a place that the station didn't have one.

> 3. You need to have an active exploit for iOS or Android (or both) that will compromise the device and steal it's data.

People are plugging in their phone so they can use it. They'll plug in the phone, unlock it, and browse the internet. What can't you do in that situation?

> They'll plug in the phone, unlock it, and browse the internet.

iOS devices (maybe Android too, idk) ask you if you want to allow new accessories to access your device. That's why they said you need an exploit.

I don't have an iOS device to test, but just found a video [1] showing someone connecting a USB keyboard and immediately using it with no prompts. Same on Android.

Even better, here's [2] a direct example of this attack using an O.MG cable [3].

[1] https://youtu.be/COndab_rQkE?t=76

[2] https://www.youtube.com/watch?v=7YpJQT55_Y8

[3] https://shop.hak5.org/products/omg-cable

Android allows you to select the 'USB mode' between charging, MTP/PTP media transfer, debugging (if enabled), and filesystem.

If not an exploit, you need the victim to do something a lot more obviously (though the absolute obviousness of course remains debatable) dumb/risky than merely plug in.

“This fast charge station requires accessories access to your device for high speed charging”

Anyone who would believe a notice like that (or would click trust without thinking) is a prime target.

It’s like many scam/spam emails- they often intentionally look a bit dubious, poor grammar, typos etc as the attacker just wants to deal with low hanging fruit, not someone who may wise up quickly that something isn’t right.

Given what I know of battery technology that seems like a plausible requirement. Why wouldn’t the phone and charger communicate?

If you attack the right part of the USB stack, the prompt and its answer dont matter.

If a malformed packet can trigger RCE in the USB stack, there wouldn’t be a prompt, right?

Thats how i'm seeing it.

I'm confused about #1. If I have a power adapted plugged into the wall, and a USB cable from that power adapted to my phone, how exactly could my phone be compromised?

The scenario was talking about a power bank where you plug a USB cable into, not where you plug your own power adapter into. Lots of people, myself included, don’t carry power adapters or even charging cables on them on a day-to-day basis.

Using your own power adapter and own power cable you will be fine.

Unless someone has tampered with either of them while you were distracted momentarily but that’s too high risk/inconvenient for an attacker for you to worry about.

The attack involves placing a device between the cord and the wall.

More practically, you visit a place that has public chargers, you study them and create a compromised clone, and then you swap out the real one. Like card skimmers.

Maybe a better attack would be to create and sell a usb condom with malware built in.